CRYOGENIC STORAGE AND THE LIMITS OF QUALITATIVE SAFEGUARDS

The Scenario:

An import facility features a large, double-walled Liquefied Natural Gas (LNG) storage tank. During a HAZOP review of the liquid inlet line, the team evaluated “MORE TEMPERATURE” (warm LNG entering the cryogenic tank). The team correctly noted that warm liquid would cause rapid boiling, massive vapor generation, and sudden tank overpressurization—a phenomenon known as “rollover.”

The HAZOP team listed four distinct safeguards: an automated tank pressure control valve, a high-pressure alarm, an independent automated vapor-recovery compressor, and ultimately, a bank of safety relief valves. Qualitatively, a matrix would show four layers of protection, easily making the scenario look green.

The QRA / Layer of Protection Analysis (LOPA) Reality Check:

When the scenario was fed into a quantitative framework, the “illusion of safety” collapsed. By assigning actual Probability of Failure on Demand (PFD) numbers to the listed safeguards, a glaring issue emerged:

Because the control valve and the alarm shared the same physical pressure transmitter line, a single plug or freezing event in that sensing line would cause both safeguards to fail simultaneously. The actual collective frequency of a catastrophic tank overpressure event was mathematically far higher than corporate risk tolerance thresholds allowed.

Key Learnings:

• Beware of “Safeguard Stacking”: A HAZOP team can easily list five safeguards on a sheet, but if they share a common power source, a single instrument air line, or a lone sensor, they count as a single point of failure.
• Quantifying Independence: QRA and LOPA strip away subjective optimism by demanding that each safeguard be a truly Independent Protection Layer (IPL). If it isn’t independent, the math forces you to discard it from your risk reduction model.

Labels: LOPA, Common Cause Failure, LNG Storage, Cryogenics